Internet Surveillance and Privacy

Abstract

The right to privacy has always been cardinal to democratic social group since its inception. In the time of disorder or turbulence, the urge to strengthen national security is often seen to trump right to privacy if individual.

In the era of technical developments the inherent capacity for surveillance of the average citizen has increased in exponential manner. This paper seeks to review the concept of privacy rights and how these rights have been changed due to occurrence of certain events in the age of internet. This article takes a comprehensive glance at the state of internet privacy in India under Information Technology Act, 2000 and finally, it provides recommendations for enhancement on security while remaining sore to privacy rights.

Introduction

The right to privacy has been fundamental assumption of free and democratic society since its inception. While not explicitly mentioned in US or Indian constitution, several court cases has established and supported that free citizen are provided right against government intrusion into their living. One finds it difficult to accomplish “Life, Liberty and the pursuit of Happiness without this2. Nonetheless, the right to privacy discovers itself in contrary to another inalienable right: right to security.

Having decided in Naz Foundation v Government of NCT3, there originated a feeling that right of privacy of individuals are gaining acknowledgement in Indian legal landscape4. The interesting fact about High Court decision reading down Section 377 of Indian Penal Code and decriminalizing Homosexuality was the hesitation of Central government to appeal in Apex Court.

Currently India’s almost comprehensive legal proviso that addresses privacy on internet can be found in IT Act, 2000. A reading of recently amended section 69 and 69B of the Information Technology Act, 20005expresses that this amendment has vested state functionaries with authority to intercept, monitor and decrypt information6. This also enables them to block access to website and collect traffic data7.

Prior to this amendment of Information Technology Act, there was vacuum in Indian laws regarding interception and monitoring in internet communication. It was executed by the general provisions of Indian Telegraph Act, 18858.

Online Privacy: Past and Present

Information Assembling

The raising access of internet was lately realized by Indian legislation in 2001. However, regulations regarding privacy were lacking in the statute11. The telecommunication interception rules were framed after Supreme Court in PUCL v Union of India12ruled out. These rules provided the design for intervention with privacy rights for “violation upon individual’s solitude or seclusion and information collection” These rules are the reflection of rules which has been amended under section 69 and 69B13 (Oct. 27, 2009).)).

Under section 5(2) of Telegraph Act were the rule for interception of telecommunication. These rules stated that when (i) a public emergency or (ii) public safety state of affair exists, then orders can be granted to issue directions for interception. These rules effectively empower high ranking public officials14to issue instructions regarding interception of messages15.

Various safeguards have been added to augment the section under rule 419-A of Indian Telegraph Rules to provide more specific documental formalities i.e. providing the details and particulars of officer directing the maintenance of records. Secondly, review committee has been formed up by limited regulatory oversight16.

However, in public cases involving classification of “violation of solitude or informal gathering” the courts apply doctrine developed under Article 14, 19, 21 of the Indian constitution17. This doctrine empowers judiciary to strike down statutes which are against the connection of legislation; but courts are unwilling to do the same because according to courts ‘right to privacy’ is too broad for interpretation and liberal in nature18. They have been adhering to procedure rather than limiting the substantive power of state. In PUCL v Union of India the Apex court laid down procedural safeguards to check warrantless tapping of telephone as directions19. In case challenging constitutional validity of MCOCA proviso regarding telephone tapping the Apex court decided that the provisions contains adequate procedural safeguards20.

After much of discontents and debate, the Information Technology Act, 2000 was amended in 2008. This amendment was sought to ratify the inefficiency with the application of enactment. To make this act independent and sufficient with regards to internet behavior21, section 69 was introduced by the law makers22.

Section 69 “Power to issue directions for interception or monitoring or decryption of any information through any computer resource.” this section reflects the section 5(2) of Telegraph Act, 1885 which also contains the same limitations on the powers to issue directions. It contains PUCL23alike constitutional limitation. It also includes the requirement of recording reasoning behind issuing the directions and also to remark the 5 classes of event as per section 5(2). There is no doubt that regulation as per section 69(2) for providing procedure also follows Rule 419-A in broad manner. They reflect most of the procedural safeguards.

Amendment of section 66E of the act brought forward the penalization for violation of privacy. It seeks to apply exclusively to image private area of person and under the situation where privacy has been violated24.

Information Processing

Section 69B of the Information Technology Act, 2000 titling itself to be concerned the right way with processing the information, is composition between gathering and processing of information.

Section 69B “Power to authorize to monitor or collect traffic data or informing through any computer resource for cyber security.” The aim and scope of this section is better online or internet management by mandating enhance in cyber security. This also prevents and analyzes the violation of computer contaminant.

This section also allows for issuing guidelines for monitoring and collecting information and data produced generated, received, transmitted or stored in any computer or internet source25.

A critique of ordinance formed under this section makes it unambiguous and states that harms or losses which will be incurred are in nature of data processing i.e. aggregation and identification26. This section provides safeguards similar to section 69 of the Act. As a result, the reasoning that has to be recorded is not threshold as established under Section 6927. These are the reasons which were pronounced in the PUCL case. Therefore, there lies a debate against constitutional validity of the section as the rules formed under it specifically speculate independent direction to supervise data, which inevitably requires interception.

Information Dissemination

What perplexes the mix of privacy damage is the character of information. Information which lies within the source of privacy differs case to case. It varies to scope of human activities and violation of privacy of individual receives a different class of harm. The law regarding whistle blowing or information disclosure has developed mostly with freedom of press. It has been often argued that disclosure of facts harms and violates privacy of individual in society28. These claims are usually looped in with the defamation law, when the person disputes the truthfulness of the information searched to be revealed or disclosed29. There are lawsuits where probe of information for which violation is complaint against developed through a fiduciary relationship. Regardless of their origin, court presumes the sources and contents of the information. For example fiduciary relationships i.e. bank-customer30, doctor-patients31and it also look into contents like failures to pay debts32.

Thus, it is upon the discretion of the court to allow disclosure when it concerns serious infection such as AIDS virus because of which marriage can result in communication of such virus33. Issues such as legitimacy of child and maintenance34), recovery of debts also includes35. Right to Information Act, 2005 has been developed regarding this recently36.

Protection against dissemination: As the 2008 amendment brought several sections to protect disclosure of information, which was absent prior to this. These include 43A which provides compensation which one will be liable to pay if he fails to protect sensitive or confidential data. The concern here is that these guidelines go beyond the scope of telecommunication regulations providing legal sanction for non-adherence. These are with objective to protect confidentiality with data thus they cannot be counted as proper legislative measurements to protect privacy loss of information because these are not examined for informal components.

Limitation of present privacy regime

Lack of incentive and procedure

As there are various underlying problems in present legal regime application which is also consider as design defect of surveillance system. An examination of several judicial decisions have established that although due process is followed by judiciary, they have intemperately relied upon framing of strict procedure as well as called for adherence to gauge telephone tapping validity and legality. In all possibilities, the approach towards online surveillance will be same.

The most evident critique which may be pointed towards the privacy through functional or procedural argument, will be that people individual is bound to comply such procedure so people will be not comply with such. Such a counter will be conclude that administration and executive officials i.e. police, put in charge of precautions will barely be stickler for following procedures. Their principle job will be policing rather than securing privacy to individual. Hence, they will be liable for institutional bias37to their natural function. The anticipator finds it legitimate and logical end by making a less incentive reasoning. A review of judicial decision shows that judiciary have convicted wrongdoer on evidence collected by unconventional procedure when such is usually held not obligatory38. It does not affect the admissibility of evidence in the court of law if there is inadequacy in observing the safeguard in the case of telephone tapping39. The court ruled out those two loopholes has been pointed out in orders regarding authorization and confirmation of interception of telephone number. It was not established by the prosecution that Joint Director (IB), who acted as interceptor and authorized the interception, withstands the rank of Joint Secretary to Union of India. Secondly, verified orders which were passed by Home Secretary (Volume VII, Page 446-448) would suggest that confirmation was potential in nature. Nevertheless, these inefficiencies and inadequacies do not rule out the admission of intercepted communication through telephones as evidence. It is also to be looked that Section 5 and Rule 419A does not deal with rule of evidences unlike Section 45 of POTA. The non-compliance with provisions of Telegraph Act does not intrinsically affect admissibility40.

Ineffective injury redressal system

The problem on non-abidingness to procedure is compounded because of inefficient legal measurements to expose or detect the privacy loss, until the data is distributed publicly making the subject known to infringement. This appears essential as a notification may lead to the concealment of information which is looked to be assembled. However this problem is demonstrating. It is predicted that dearth of precedent that challenges unjustified surveillance can be attributed to the confidentiality. There are observational evidence indicates that unwarranted or unjustified surveillance is very large and occurs frequently. The PUCL case itself is reflexive as it arose out of a series of study demonstrated by CBI which indicated that high level of non-warranted ear wigging on communication between politicians41. In a recent case which was one of iconic headlines of mass communication when the phone was illegally tapped of leader of major politician42.

Even in an uncertain event where an individual suspects that he is being under espionage or electronic spy, his remedies are enforceable. The courts have their discretion to entertain such through a writ petition under Article 32 or 226 of Indian constitution43. Judicial review of actions which are unjustified can be sought and relief may be granted accordingly. The other options includes criminal action police officer or any administrative officer for criminal trespass as per proviso of Code of Criminal Procedure, 1973 and damages by filing civil suit can also be claimed. These remedies somehow may look cushy and attractive but it takes substantial efforts and counseling to enforce specially in a judicial system like India. Thus, relying over judicial proceedings to seek remedy of privacy breach will be an ineffectual option.

Limited protection against loss of privacy of individual

As absence of data protection standards, the current privacy regime comes into being for the protection of civil liberties of individual against the political body. In a set-up of such nature the protection which is sought against individual or private entity, can only be sought when there in non performance of functions which are performed under the state supervision. Thus, these kinds of approaches neglects the fundamental temporal of internet economy, where the state is considered as fringy player, and users’ look for habits which are diminished in some of internet service providers. From the basic access of database from desktop, a user generally logs in a search engine or internet service provider. These are operated by the same corporation most of the time, known as conglomeration i.e. Yahoo-mail44, Gmail commonly known as Google-mail45, Rediff-mail, Hot-mail, Bing. The basic revenue model of such conglomeration companies’ is prepared upon the basis of providing contextual promotion and publicity to support the kind of service they provide. This is not an anticipated argument but the use of such information can lead individual of privacy loss. For example the creator of the cyberspace itself has conveyed that searching for information regarding cancer or depression may result in increased health insurance policy and indemnity premiums as the companies can data track activities of consumer and sell the same information to the insurance company46.

Non acknowledgment of loss of information processing

The current privacy regime is narrow in scope as does not provide protection and safeguard against several losses which are incurred. These are dazzling regarding the complete non-acknowledgement of crucial harms which are incurred more frequently. A novel amount of personal data and information is accessible online and when amalgamated, life of individual becomes ‘’ over time47. Increase in the degree of privacy loss is the concept that data is saved in immense private database by limited conglomerates because of confidential and limited nature of online service provider industry. Nevertheless, when this confidential data is visible non-contextually, it results into wrongful illation being drawn i.e. search logs of a person can possibly for research purpose and not for subjective or private health checkups. The concerning fact here is that person whose information is assembled does not have any kind of acknowledgement or notice causing loss of exclusion.

This kind of exclusion of data processing and not data gathering thus, there ought not to be any reasoning behind such exclusion. Presently, it is not inapposite to paying attention to EU Law on Privacy and refers those guidelines which comprise a basic prohibition backed by sanctions against confidential database. In addition the probable loss of secondary use, where data collected with intention to other than for which it was gathered. For a sturdy and strong privacy regime more procedures and law need to be prescribed to protect against loss of privacy which are unambiguously going on in cyberspace communications.

A Deeper cut to privacy

The abovementioned defects are underlying design defects in conceding sanction for surveillance and can also be applied to all mediums of telecommunication or cyber-communication. This section analyses certain harms that occurs specifically towards internet and cyber communication. The internet as an interactional intermediate renders individual with vast range of application befitted to cater any information required. This may be thru the form of text, audio or video, the application of internet is very broad in nature, which makes harms of interception through cross synergies, much deeper. The harm is much more than of conventional telephonic tapping.

When an individual access the internet, he expects privacy to a certain level which he finds reasonable48. Unaware due to satisfaction of own desires and curiosities, he may reveal more piece of information to a computer than to another individual.

Thus, communications through internet or cyberspace are confidential in nature and concern the essential privacy of individual. Cyberspace communication is manifestation of individual’s motive or intention. Statement of John Battelle to this context makes for reading “Link by link, click by click, search is building possibly the most lasting, ponderous, and significant cultural art effect in history of mankind: the database of intention”,49Thus, by following the same orthodox and principle which has been established for telephone tapping would be complete simplification and answer of all the question posed by loss of privacy and data alteration in cyberspace and internet communication.

Comparative Study of Data Protection

United Kingdom

In United Kingdom parliament in 1984 passed Data Protection Act (DPA) which was struck down and replace by Data Protection Act, 1998. The objective of the act is protection of personal data of individual and enhancement of privacy regime in states. The act protects all kind of private data i.e. name, Email and address, etc. The Act applies to all kind of data and information which is capable of being held on computer or electronic operating equipments in relevant file system. This act mandates each person or organization which stores data or personal information to register to the same to Information Commissioner50. Besides that United Kingdom in August 2011 passed Cyber crime prevention Act. The objective of this act is to put restrict on collection of personal information or private data other than lawful purpose.

Similar legislation regarding cyber crimes and rules is also adopted by other nations i.e. China, Australia, Canada.

United States of America

Although United States and European Union aims to protect privacy of individual in state, United States has adopted entirely different approach regarding privacy regime. Unites States follows mix legislation and self regulating sectoral approach. Data and information is classified into several section based on their value and significance. In 1974 Privacy Act was passed providing government agency to compare data in different classed based on their nature. United States have the democratic HIPPA Act, commonly referred as Health Insurance Portability and Accountability Act which governs all the records regarding health and insurance policy. The upkeep regarding issue of privacy and confidentiality covers in this act. In 2002 legislation signed Sarbanes-Oxley (SOX) Act to officially mandate and instructs a few reforms for enhancement of corporate liability. This act also contains provisions for financial disclosure to combat accounting fraud and corporate crimes. United States legislation also covers certain policies i.e. Cable Communication Policy Act, Online Privacy Protection Act, Electronic Communication Privacy Act for interception of Telecommunication through Electronic means Both federal and states have their respective laws regarding data protection51.

India

Looking at the Indian Scenario, with the wrongful use of technology, the strict need to regulate criminal activities arose. Information Technology Act amendment in 2008 along with certain provisions of Indian Penal Code came into picture for protection of cyber space crimes.

Constitutional Liability: Hacking or stealing into someone’s intellectual work is strict violation of Right to Privacy. Although constitution does not explicitly mentions right to privacy but it is protected under Indian Constitution. The Supreme Court in many cases examined right to privacy under Article 14, 19 and 21 of Indian Constitution52. Many judicial decisions have affirmed that right to privacy is very much of fundamental right under Article 21 of Indian Constitution.

Other then Indian Penal Code provisions, there are other acts under Indian legislation which imposes criminal liability i.e. Copyrights Act. This includes Infringement of Copyrights63, Abatement for infringement of Copyrights64, penalty enhancement on second conviction or subsequent infringements65, knowing use of computer program or infringing copy of computer program66.

The Application of these provisions varies case to case basis and these are subject to investigation and charge-sheet filing depending on the nature of the crime.

Tortious Liability: Basic structure of cybercrime is established through Donoghue v Stevenson67. In India it developed through Information Technology Act, 2000 followed by 2008 amendment. This Act is basic structure of Tortious liability in India. There are provisions regarding penalty and compensation for computer damage68, Failure to protect data, hacking computer system69, Dishonestly receiving computer or communication devices70, Cheating by using electronic means i.e. computer, Violation of privacy71, Data alteration72, Cyber terrorism73, Publication of material containing sexually explicit acts74, obscene material, misrepresentation75, falsify digital signatures76, breach of confidentiality and privacy77and all offences by companies78. This act also applies to acts committed outside Indian Territory79.

Analysis

By comparing Indian laws on cyberspace with the laws of developed countries, the requirement of proper law in India can be analyzed. Data are dissimilar in nature based on their value, utility and importance, so all data cannot be considered alike. We require framing the separate and classified category of data having different quality, utility and value as the United States has adopted. Furthermore, the provisions of Information Technology Act are narrow in nature as it only deals with the extraction and destruction of data, etc. Companies cannot get complete protection of data which force them to enter into separate privacy contracts to keep their data confidential and secured. These contracts are enforceable under law. Apart from the loopholes of Information Technology Act, police system and officials are not familiar with cybercrimes in India. They need proper training to recognize with “Modus Operandi” of Internet and Cyber related crimes.

Despite the fact that efforts have been mode for proper data protection law as independent discipline, Indian legislative body left some lacuna in drafting of 2006 bill of Personal data Protection. This bill was drafted by following United Kingdom Data Protection Act but requirement is of an effective comprehensive act. Both Bar and Bench need to cognize the extent of internet crimes. They should make themselves conversant with complexness of cyber law and draft law by fulfilling the today’s requirement.

Conclusion

Privacy ideologists have to harmonize with the fact that their state and administration has right to intercept and supervise data control in a specified situations. This is more asserted given the current situations where scepter of cyber-war and terrorism is obsessing most of the nations. Once this agreement is achieved; next logical step will be to secure the checks and balance of potential abuse of data while intercepting. Without competent incentive designs, checks and balance are merely curiosity at best. The provisions made under the ordinance recently cannot be called defective, yet imperfect. It would be not wrong to say ratification and refinement is required in current regime of cyberspace laws. Mandating the ex-ante ex-party judicial orders can be an outsmart alternative towards information gathering. Such orders are capable of curing inherent defects as they remove inherent bias of the officials.

This will be more realistic and convenient compromise and will not lead to major shift in current procedure aimed approach. The breach of privacy is higher than traditional encroachment of privacy. The provision of section 69 should also be applied to section 69B of Information Technology Act. Above and beyond this the causation privacy loss is clear, which postulate safeguard developed by PUCL Court under “right to privacy” to be added in section 69B.

Clearly, privacy under cyberspace is an emerging and essential field in India’s cyberspace society. As companies collect huge data and information from online users, and government has been successful in surveillance capabilities, it is crucial that Indian legislation prioritize privacy of individual. The amendments without rectification create prison with surveillance station, Bentham’s panopticon. Confronted by privacy issue on cyber communication, the legislature faces a fragile duty to decide crucial policy matters. Either following totalitarian tendency or adopting a liberal conception can afford a security net to privacy.

Section 69A, Information Technology (Amendment) Act, 2008, No. 10 of 2009. Even though this section does affect the civil liberties of an individual, it is outside the scope of the present article, as the right being analyzed in this article is the right to privacy and not the right to speech and expression [↩]

R. M. Malkani v. State of Maharashtra, A.I.R. 1973 S.C. 157 (India). The court deciding on the admissibility of evidence under section 7 of the Evidence Act, 1972 held that, “…there is warrant for the proposition that even if evidence is illegally obtained it is admissible [↩]

It is to be noted that even though the Information Technology Act, 2000 does not contain a section analogous to section 45 of the Prevention of Terrorism Act, 2002 which contained language to make evidence admissible even in cases of procedural impropriety for which the decision was given, the general approach of law enforcement is to flout procedural safeguards [↩]